VMware CEO Pat Gelsinger and one of his top lieutenants used the Interop keynote stage today to convince customers that virtualization can solve their network security problems.

Gelsinger and Martin Casado, creator of OpenFlow and chief networking architect of VMware, were vague on the details but said that VMware’s NSX network virtualization software will be at the heart of it. VMware wants to use virtualization to put new security capabilities into a “Goldilocks” zone somewhere between client devices and the edge of the network, Casado said.

“One place we like to put security controls is in the endpoint,” Casado said. This provides “a lot of context, files, objects, users, and what resources are being consumed, but you’re in this untrusted domain… Putting a security control there is kind of like taking the on/off switch to an alarm system and putting it on the outside of a house.”

“Another place we like to put security controls is in the infrastructure,” he continued. “Now you’ve actually got great isolation, you’ve reduced your attack surface, it’s far away [from end-user devices], but you have almost no context. IP addresses and ports, the networking guys have known this forever, they’re bad approximations for what we’re trying to do. What I’m exploring is how can you use the hypervisor to bridge this context/isolation divide.”

VMware has been talking about security benefits of virtual machines for years, but the company is now making it a central part of its sales pitch. Virtual machines themselves are no longer enough to differentiate VMware from Microsoft and other competitors that followed the company into x86 virtualization.

A Wired profile of Casado in February said he wants to build a “security platform that would stretch across a computer network and provide hooks into practically every piece of hardware and software,” which would provide "both the context of what’s happening on your network and the tools needed to isolate certain data and people from one another.”

The question is how to use the hypervisor “to extract meaningful context from the edge, things like users and applications, things like vulnerability posture, is this compromised or not, and securely pass that down to the infrastructure for enforcement,” Casado said today. “Over the past year we’ve built out technology that will protect guest level things. It will establish a root of trust in the guest, and it will establish a trusted path to pass that information down.” Such a foundation will enable “next generation” firewalls and antivirus, he said.

Casado was formerly a researcher at the Lawrence Livermore National Laboratory who then went on to Stanford University and founded software-defined networking company Nicira, which VMware bought in 2012.

“I used to work for the government in the intelligence community doing security,” Casado said. “That work underlies what we did at Stanford, it motivated that. In many ways the original goal or use case for software-defined networking was security.”

VMware’s NSX, based largely on Nicira technology, puts networking functions such as switching and routing into software that’s decoupled from the underlying hardware.

NSX “allows us to create networks in seconds, save them, delete them, restore them, like virtual machines,” Gelsinger said. “Its not just switching and routing, but all other services a network would provide, such as firewalls and load balancers.”

VMware called network security the NSX platform’s “hidden gem” in a blog post last November. Virtual networks are “isolated from the underlying physical infrastructure,” VMware said. “This isolation protects the underlying physical infrastructure from any possible attack initiated by workloads in any virtual network.” Additionally, “firewall-based network segmentation” can be centrally configured, and if a workload moves to new machines, “firewall rules and other network services move with the workload.”

VMware intends to rely a lot on partners to expand upon these capabilities. For example, VMware is working with enterprise firewall maker Palo Alto Networks to let NSX automate deployment of Palo Alto security features.

“We’re not going to be able to do all of these things, so Goldilocks is largely a platform where we’re engaging our partners to build on top of this,” Casado said.

Gelsinger claimed VMware will help businesses stem the tide of data breaches without breaking the bank. “Security spending is exploding and thus becoming a larger portion of spending in the IT budget,” Gelsinger said. “Security breaches are the only things growing faster than security spending.”

The security claims made by IT vendors are notoriously exaggerated, so tech professionals will likely exercise healthy skepticism. VMware’s annual VMworld conference is in late August, and we could hear more details on the company’s security plans at that time.

20 Reader Comments

I used to work for the government in the intelligence community doing security,” Casado said. “That work underlies what we did at Stanford, it motivated that. In many ways the original goal or use case for software-defined networking was security.

Virtual routing and switching and software defined networking are certainly the future for multitenant environments. Cisco does VRFs and other virtual networking very well in their Nexus equipment. However, logging and monitoring and other controls have to be perfect for it to work and have evidence to support investigations.

I am not saying, this would be a good idea, however, it would let you run your SQL and Memcashed on the same box as Apache. Thus, eliminating some of the network.

vSphere has had functionality to group servers together (DRS Groups and Rules) to ensure locality for some time. NSX on top of that prevents hairpinning if the servers are on separate subnets and routing is required.

I've used similar grouping of servers in past designs with good results (though with servers on the same subnet, so no routing was required, ergo traffic stays local to the vSwitch).

Just wait about 8,000 years for the Y10K problem (or YAK if you're in to hex).

Y2048 should be fun and not that far away.

Before then is the problem of crappy y2k patches that have hard coded limit of 2020/2024/2032.Personally I'd like to physically reprogram any developer that used or uses non-standard short date formats.

Had fun yesterday of fortran code with a 7 character date format - 2 chars for day, 3 chars for month and 2 for the year.

I used to work for the government in the intelligence community doing security,” Casado said. “That work underlies what we did at Stanford, it motivated that. In many ways the original goal or use case for software-defined networking was security.

NSA?

I'm a trifle surprised that it's still considered sensible to start your security sales pitch with "I was a spook hatchetman; buy from me!"

How many of these people who are spouting stuff about vmware wanting mroe money etc. have actually used the products?And how many of you are actually people who couldnt afford or didnt want to pay to use the product and are bitter about it?

I am genuinely interested in an answer to the above, because in my previous company I built and maintained a fairly large VMware cluster, and yeah, it wasn't cheap when you try and compare it to say Xen or KVM. However it all worked as expected, it was easy to configure, even for the more complex things, it was easy to maintain and update. Hell, I moved the VMs on the cluster between datacentres with zero downtime. In any other virtualisation product, that wouldn't have been possible.

Where I now work, we have a hyperV virtualisation environment, and although Microsoft have caught up a fair bit with regards to the main functions, it is nowhere near as refined.

Also, whenever I did have an issue for the VMware environment, submitting a support request was easy and I had someone on the phone who knew what they were talking about within 10 minutes. You try getting that sort of support from microsoft, and that isn't even including how much you pay for the support from them, whereas the vmware support is included.

So for everyone saying it is too expensive, have you actually used both it and a competitor to see if the grass really is greener?

How many of these people who are spouting stuff about vmware wanting mroe money etc. have actually used the products?And how many of you are actually people who couldnt afford or didnt want to pay to use the product and are bitter about it?

I am genuinely interested in an answer to the above, because in my previous company I built and maintained a fairly large VMware cluster, and yeah, it wasn't cheap when you try and compare it to say Xen or KVM. However it all worked as expected, it was easy to configure, even for the more complex things, it was easy to maintain and update. Hell, I moved the VMs on the cluster between datacentres with zero downtime. In any other virtualisation product, that wouldn't have been possible.

Where I now work, we have a hyperV virtualisation environment, and although Microsoft have caught up a fair bit with regards to the main functions, it is nowhere near as refined.

Also, whenever I did have an issue for the VMware environment, submitting a support request was easy and I had someone on the phone who knew what they were talking about within 10 minutes. You try getting that sort of support from microsoft, and that isn't even including how much you pay for the support from them, whereas the vmware support is included.

So for everyone saying it is too expensive, have you actually used both it and a competitor to see if the grass really is greener?

Awesome and expensive is still expensive, just saying. It's like someone telling all of us that his Ferrari handles great and what not, and deriding those peons who can't even afford a Ferrari keychain, much less the keys to the car.

The problem has to do with scale. Using a smarter hypervisor that connects with other hypervisors over the network is not a bad idea. However using hundreds or thousands of them can be difficult to scale in terms of the control protocols and management/operations. What VMware is doing is move the network into the hypervisor. Then interconnect the hypervisors using tunnels. As many folks that run networks well know, control and management plane gets pretty complex at large scale. Also a more distributed control is way more scalable than using a centralized brain. I wouldn't want to try to upgrade the code on that.